Yes. You point out some bad, terrible practices that happen in the
wild at either hopelessly amateur shops or shops that grew too fast from
the naïve age of CGI and have escaped being hacked by virtue of being
too small or too pointless to be worth the trouble; or not knowing they have been hacked.
The list of responses and practical fixes to the issues would
fill an entire website, which you already cited: OWASP. There is
NO package or module or framework or single set of best practices that
solves for all this and even if there were it would change constantly.
You just have to know what you're doing and you have to keep up.
Every dev worth her salt knew the context sensitivity in CGI->param so used it without introducing exploits.
Mojolicious cookies are slightly more secure out of the
box than other current frameworks. Crypt::Eksblowfish::Bcrypt
passwords are better by far than Digest::SHA but new chips
and algorithms have already made it weaker than it was. It's a
laundry list full of—Yeah, so what? You need to know that—and
like a doctor who doesn't read medical journals, a
dev who doesn't keep up with the art isn't safe or reliable.
Imagine posting on a biology forum: Mobility in organisms? Let's hear your ideas. It's a sawed-off shotgun fired into the air. Picking one security issue or an actual, open problem you're facing with some GODDAMNED WORKING CODE would be more likely to fruit.
|